The deadline for adopting and publishing Directive 2009/136/EC is 25 May 2011. This Directive, inter alia, amends Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector, the so-called e-privacy Directive.
The three major changes are the following:
1) Security Breach Notification
According to this principle, the provider of publicly available electronic communication services shall immediately notify violations to the competent national authority as well as directly to subscribers and other persons concerned. The notification must also indicate the measures recommended to mitigate the damage.
In brief, consent will be needed in order to install cookies on users’ computers.
3) Unsolicited commercial communications
Prior subscriber consent is required in case of unsolicited commercial communication. In any event, if national legislation, as is now the case in Italy, in some cases permits the sending of commercial communications according to the opt-out system, which allows subscribers to express rejection, the Directive provides that Member States shall in any case use appropriate measures to ensure adequate protection.